- On 30th September 2021, the DST X3 Root certificate expired
- Most webOS and Tizen screens do not have support for the ISRG X1 root, or do not properly validate the certificate chain if they do
- Self-hosted CMS instances that use LetsEncrypt certificates will need to swap to paid SSL certificates (we suggest RapidSSL DV) for https to work
- Cloud CMS instances are already using RapidSSL certificates and so are not affected
- LG are slowly releasing updated firwmware to allow LetsEncrypt certificates to work
- Samsung have not responded to our requests for information on how they plan to resolve this at present
LetsEncrypt is now the largest certificate authority in the world, issuing millions of certificates to allow encrypted communications for websites to be standard.
Prior to LetsEncrypt, SSL certificates were purchased from a small number of certificate authorities, who had their root certificates in the trust stores of all the major software and device vendors.
It takes a long time to get a new root certificate trusted by a wide range of devices, and so to launch, LetsEncrypt managed to get a cross-signature from an existing certificate authority. That cross signature was from the DST X3 root, which expired at the end of September 2021.
What should have happened in the time since LetsEncrypt launched, and September 2021 was that vendors should have updated the list of certificate authorities that their devices trust as part of their regular firmware updates to include the ISRG X1 root.
Unfortunately, a large proportion of Android devices do not receive such updates, and so the danger was that come September 2021, those devices would stop being able to connect to websites protected by LetsEncrypt certificates.
It was realised that Android devices do not check the date validity of the root certificates that they trust, and so LetsEncrypt arranged a new cross-sign which allows Android devices to continue to connect to servers protected with LetsEncrypt certificates, even though the DST X3 root has now expired.
In order for that to work, an extra certificate must be included in the certificate chain, which links to the expired root.
Unfortunately older versions of OpenSSL don’t correctly verify such a certificate chain and will reject it even though the chain is perfectly valid.
At the time of the DST X3 root expiry, most firmware available for webOS monitors does not have the new ISRG X1 root certificate in the trust store, and so connections to LetsEncrypt protected servers are not possible. The minimum firmware versions for LetsEncrypt compatibility can be found below:
- webOS Signage 3.0: In progress
- webOS Signage 3.2: Since v04.06.20
- webOS Signage 4.0: Since v04.08.30
- webOS Signage 4.1: Since v03.19.70
- Special Models like high brighness, Ultra stretch : In progress
What follows is our observation of the situation with Tizen monitors. We’ve not had any official response from Samsung and so we cannot confirm these are accurate.
Tizen monitors do appear to trust the ISRG X1 root, however they do not properly validate the certificate chain if the DST X3 root cross-sign is included in the certificate chain in all cases.
When further information is available from Samsung, we will update this article.